Windows 7 attempts to make LDAP queries to root domain during enrollment operations

In a case I worked recently, we discovered a side-effect of the new cross-forest enrollment functionality that was implemented in Windows 7 and Windows Server 2008 R2.

In short; by default W7 and W2k8 R2 clients in child domains need to be able to make UDP LDAP queries (CLDAP) against DC's in the root domain of the forest.  If this is blocked the enrollment process is halted for those clients.

This is related to the Certificate Enrollment Policy for the forest, by default it is pointing to DC's in the root domain.

Another symptom of this is that running certutil -template on a Windows 7 or Windows Server 2008 R2 client will fail with the error code 0x80094004.

The workaround is relatively simple; either allow CLDAP queries from the clients to the Root DC's or add a new CEP that points to a W2k8 R2 Web Enrollment Server in the child domain (the latter requires the forest to be running the W2k8 R2 schema).

Note: On Windows 8/Windows Server 2012 clients the behaviour is slightly different in that it still attempts the connection to the root domain but it will use the information from a DC in the child domain if it fails to connect to DC's in the root.

White paper on Windows Server 2008 R2 Enrollment Web Services:
http://blogs.technet.com/pki/archive/2009/09/15/certificate-enrollment-web-services-whitepaper.aspx